Advanced Persistent Threats: Protecting German Manufacturing with Managed Detection and Response

Advanced Persistent Threats, or APTs, are attacks that breach networks to gain access to valuable data. To put into scope the challenges Germany and others are facing, look no further than the growth in the APT protection market.

ForeNova, a global provider of managed detection and response (MDR) services, understands the growing problem of APTs targeting high-value industries in Germany. These APTs focus on value data, including intellectual property theft.

German manufacturing firms look to MDR providers like ForeNova for help with 24/7 monitoring, automated incident response, and greater observability of APT threats.

Interested in learning more about ForeNova’s NovaMDR platform offering?

Click here to schedule a demo with the ForeNova engineering team today!

Impact of APTs on the Manufacturing Sector in Germany?

Bitkom announced a projected cost of 206 billion euros ($224 billion) for IT theft, data breaches, espionage, and sabotage in Germany during 2023. This report marks the third year in a row exceeding 200 billion euros, according to a survey of over 1,000 companies.

• Distributed Denial of Service against edge architectures, including web portals, Zero-trust, and SASE-based instances.
• Advanced email attacks against manufacturing site managers, production teams, and operations groups are very common.

Manufacturing in Germany continues to rise in ransomware attacks from email phishing with the endgame of extorting manufacturing firms, shutting down critical production systems, or redirecting global supply orders to the wrong suppliers.

The kill chain also contains social engineering attacks, physical intrusions, and constant threat of insider threats.

Rise in Insider Threats Within Manufacturing

Manufacturing firms face a dual challenge: Network users can exfiltrate crucial data, risking operational disruptions and production slowdowns while companies investigate these attacks.

Dealing with State-Sponsored APT Group

State-sponsored attacks bring an additional dimension to attack surfaces. China, Russia, North Korea, Vietnam, Nigeria, South Africa, and other nation-states all contribute to the APT nightmare globally.

ATP groups funded by nation-states present several challenges for cybersecurity teams across all industries. Most of these groups are well-funded, have access to state-sponsored cybersecurity research material and tools, and a resource pool of talent within these countries’ military forces.

MuddyWater: APT34

This Iranian group targets energy and defense industries, which is widely known.

Fancy Bear (APT 28)

Established in 2004, this Russian-based APT group targets manufacturing and critical infrastructure in the United States and Germany.

Chinese hacker group APT 27

This APT group has targeted German companies in sectors such as pharmaceuticals and technology and successfully stolen valuable intellectual property assets.

APT31: Judgment Panda

Chinese state-sponsored APT group conducts cyber espionage for national interests, employing sophisticated spear-phishing, malware, and zero-day vulnerabilities to target governments, businesses, and political entities globally.

Judgment Panda targets U.S, German, and Hong Kong political figures, critical infrastructure, and industrial manufacturing.

Which Manufacturing Industries in Germany Remain the Highest Value Targets for Hackers?

Previously, APT groups focused their cyberattack efforts on stealing money, committing financial fraud through email phishing, and leveraging ransomware to extort money from their victims.

APT groups that focus on efforts in the German manufacturing sectors do so with the ideas that operational disruptions, stealing intellectual property, and/or committing cyber attacks are far more profitable.

Manufacturers facing unplanned production outages face financial losses of between $900 and $17000 per minute. These same cyberattacks also cause a downstream problem with the supply chain supporting the manufacturing processes.

Hackers targeting high-value manufacturing may choose to embed malware into user devices, host-based application platforms, and robotic control units. These malware files go unnoticed because most devices and hosts receive infrequent software updates.

These well-placed malware files were more than likely introduced through an email phishing campaign.

Automotive

Like other German manufacturing firms, the German automotive industry continues to experience various cyberattacks against its employees, supply chain partners, and networks.

The Volkswagen data breach exposed the information of 800,000 EV customers. In addition to this security breach, Volkswagen also faced intellectual property theft. In 2015, hackers compromised nearly 19,000 documents related to Volkswagen’s research and development projects. However, the company did not report the event until 2024.

Chemical

Two former employees of Lanxess, a chemical factory, stole intellectual property, including trade secrets and information on constructing next-generation nuclear reactors.

The buyers of these trade secrets included a Chinese company that planned to use the stolen information to develop a competing product against Lanxess.

Machinery

Nation-state hackers and hacktivists globally target manufacturing businesses like VARTA.

In February 2024, hackers breached VARTA AG’s systems, disrupting global battery production and impacting its supply chain. Two weeks later, VARTA revealed the real threats and announced a temporary shutdown of IT systems and output for security reasons.

Pharmaceutical

APT 27, a Chinese hacker group known for attacking Western government agencies, also targeted BfV, a German pharmaceutical and technology Company.

“Besides stealing trade secrets and intellectual property, the hackers tried to penetrate customers’ and service providers’ networks to infiltrate several companies simultaneously.”

Researchers also found a new extortion group, Morpheus, active since December 12, 2024, claiming to have compromised Arrotex Pharmaceuticals (Australia) and PUS GmbH (Germany) through data theft.

The Role of Managed Detection and Response (MDR)

MDR providers like ForeNova are critical in preventing APT groups from becoming successful. ForeNova’s expertise in proactive monitoring, observability, automated incident response, and threat modeling helps protect clients from a wide range of cyberattacks.

NovaMDR, ForeNova’s groundbreaking service, ingests log data from endpoint devices, Microsoft M365, and other sources. Leveraging the AI and ML functions, NovaMDR processes the data in real time and helps detect attacks quickly. This quick reaction capability, combined with the log data processing and automated incident response, helps contain even the early signs of a ransomware attack.

NovaMDR’s ability to handle these early signs of action also reduces the human resource cost of incident response. Organizations that leverage firms like ForeNova can reallocate human capital resources to other parts of the organization.

Benefits of Implementing MDR in Manufacturing

Leveraging NovaMDR for manufacturing creates many positive engagement models. Automotive manufacturers seeking to comply with TISAX can leverage NovaMDR to help monitor critical cybersecurity controls protecting the various supply chain connections and applications required under this compliance mandate.

Chemical manufacturing firms in Germany could also use NovaMDR to monitor intrusion prevention tools, firewalls, and email systems that target Internet-of-things (IoT) devices that control chemical compound distribution systems, environmental controls, and flow control systems.

German machinery firms migrating to industrial 5.0 robotics and automation controls could benefit from having ForeNova monitor these devices. Hackers using ransomware malware attempt to gain control of the computer control units for these automated tools, which can shut down operations entirely. NovaMDR’s ability to process log data in real time and leverage automated incidents can protect machinery’s production line systems from cyberattacks.

Like her German manufacturing firms, pharmaceutical firms continue transforming their research platforms globally by promoting great interconnection and collaboration. This transformation comes with an inherent risk. Organizations working together to find a cure for AIDS and COVID-19 become subject to intellectual property theft from insiders. Contractors, disgruntled employees, or even competitors could be among these insiders.

NovaMDR’s ability to process M365 logs helps determine if someone is attempting to copy valuable data to a USB or using email to send files outbound.

Why ForeNova?

Germany has some of the world’s most advanced manufacturing techniques. However, over two-thirds of German companies have been affected by a security breach, as attackers, some suspected of being foreign spy agencies, seek to steal trade secrets.

ForeNova’s expertise in identifying early signs of a persistent threat through email, endpoint, or network channels helps lower the risk for their German manufacturing clients.

Combining the firm’s knowledge of global APT hacker groups, leveraging their artificial intelligence (AI) and machine learning (ML) defensive capabilities, and compliance reporting support, ForeNova continues to become a strategy service partner to help protect their clients in stopping ATP attacks and intellectual data theft.